Yaser Balaghi Leaves Calling Card After Hacking the IDF

Iranian hacker made grave error in hacking a former chief of staff of the Israeli Defense Force (IDF).

The hacker Tehran-based Yaser Balaghi (see photo above), later boasted of the hack, but he also accidentally left behind a digital calling card which let his identity be exposed.

His grave error caused Iran to stop the hacking operation which targeted 1800 people globally, including Israeli army generals, human rights activists in the Persian Gulf and scientists. 

The cyber operation hacking group known as “Rocket Kitten” (linked with the Iranian Revolutionary Guards and identified in 2014), started the attack in November 2015, and targets received email messages aimed at sending spyware into their computers.

More than 25% of people targeted had opened the emails and without knowing downloaded spyware and allowed hackers to steal information from computers.

The cyber attacks originated from Iran against targets in Israel and the Middle East with Israeli generals among the targets.

The hackers used techniques including “targeted phishing” (where hackers use false web pages that look like real ones to get user identification data) and then hacked 40 targets in Israel and 500 across the world.

The Israeli targets included generals, employees of security consulting firms and academic researchers.

CheckPoint Software researchers revealed the identity of Balaghi when they found that Balaghi goes by the handle of “Wool3n.H4T”.

Not only did Rocket Kitten hackers leave default passwords in place and allow password-less root access to their server management software but they infected their own C&C (Command & Control) server with their keylogger malware…but then left it in place #fail.

The CheckPoint researchers were then able to harvest the usernames and passwords of any accounts which the hackers had logged on to from their server.Oh dear…

In addition to allow password-less root access to any browsing visitor the hackers made many other basic mistakes including failing to hide a path to the server from where the attacks originated.

That provided clear evidence that the attacks originated in Iran #timeforanewjob

CheckPoint discovered Balaghi’s (Wool3n.H4T) AOL account (AOL, really?!), YaserBalaghi@aol.com with his uber 7337 password of: 123456789 (double #fail). This took them to a Farsi resume which he had posted online to boast of hacking work which he had done for “a cyber-organization” presumably an Iranian security agency 🙂

The researchers found a database which lists the names of the members of the hacking crew (apparently real ones as they were typical Iranian first and family names #lol),
as well as links to web pages infected with their malware (which was also found on the server).

Additionally the database includes a list of nearly 2000 targets with their names, email addresses and other information, targeted since August 2014 when it appears that the currently used server was activated.

The investigators discovered in one of the false web pages that look like real ones the name of Yaser Balaghi who appears to be “Rocket Kitten” team leader, based on internal messages and emails. From there he is found easily with a quick Internet search (see below).

This is shameful example of bad Iranian OPSEC and completely undermines their otherwise arguable technical skills #awkward

Where’s Yaser? Here!:

http://yaserbalaghi.com (His main site)
http://stackoverflow.com/users/5617165/yaser-balaghi
https://evilzone.org/profile/?u=15677
https://www.google.com/imgres?imgurl=http://cdn.timesofisrael.com/uploads/2015/11/Balaghi.jpg
http://www.bridgesforpeace.com/images/content/news/News_10Nov15_3_screenshot_Brians_article.jpg